Abusing Atlassian, Archbee and Nuclino workspaces

    Aug. 2, 2024

    Key Points

    What you'll learn in this article

    • A phishing link embedded in an email sent from addresses associated with Japanese ISPs.
    • Credential theft through phishing campaigns using unified workspace platforms like Atlassian, Archbee, and Nuclino.

    Mimecast Threat Research has identified a new phishing tactic where threat actors exploit compliance-related issues. These attackers deceive users into believing they must click on a link to address a compliance requirement, directing them to a fake company portal to harvest credentials or other sensitive information.

    There’s quite a lot of personalization in the emails such as details of a ‘device’ and several references to the company domain they are sending these campaigns to increase validity. The sender address name always refers to the target organizations domain name in the aim of fooling end users into thinking it is from their internal department.

    TI_notif-workspaces_abuse-pic1.webp

    There are various URLs used in this campaign, one interesting use is of postmark URLs to redirect to the user to these unified workspace solutions.

    • hxxps://click.pstmrk.it/3s/click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252Fapp.archbee.com%2525252Fpublic%2525252FPREVIEW-zC6lbWbDnmk5z3buJBCII%25252Fu4jK%25252FLz21AQ%25252FAQ%25252F82ec5a25-c50f-4c68-a1ad-64d3d3de6c19%25252F1%25252Fv1mx6BTihp%252Fu4jK%252FMz21AQ%252FAQ%252F81fdc556-5c20-4662-ae2e-00bb0fe3a7ee%252F1%252F1bKy8k_jhk%2Fu4jK%2FND21AQ%2FAQ%2Fb39933dc-3c34-4961-92a6-db7f088575be%2F1%2F6ayZ139fVi/u4jK/u0y1AQ/AQ/e869e477-658b-49e4-b61d-957766ad7b9f/1/lzhdvOcfmW/u4jK/vUy1AQ/AQ/9638350e-ed00-4ae7-8f62-b58ed9d0b391/1/i0yMJ-e4SI',

    There is multiple obfuscation techniques utilized to hide the true destination of a URL:

    • Multiple redirection
      • hxxps://click.pstmrk.it/3s/click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s...
    • Encoded characters
      • %2F, %252F, %25252F
    • Tracking parameters
      • u4jK, AQ, followed by strings like 82ec5a25-c50f-4c68-a1ad-64d3d3de6c19

    Following the link, we see the below page on archbee.com containing another link to be clicked to access a document. The page indicates the user will need to ‘sign-in’ again to gain access.

    TI_notif-workspaces_abuse-pic2.webp

    We see similar pages hosted on confluence which is a service used by many organisations and is commonplace to collaborate for employees across a business.

    TI_notif-workspaces_abuse-pic3.webp

    All links on these pages again have various obfuscation techniques to evade detection, and once clicked users are presented with a Microsoft login page with two examples shown below.

    TI_notif-workspaces_abuse-pic4.webp

    Mimecast continues to see threat actors making use of services such as OneDrive and Google Docs to host files or links in their campaigns, but the use of workspaces such as Atlassian has not previously been heavily abused previously. However there has been a noticeable increase in the use of Atlassian to evade detection which will continue to be monitored.

    Targets

    Australia, prominent law firms

    Targets

    Sender header email address

    • @re[.]commufa[.]jp
    • @biglobe[.]ne[.]jp

    URLs

    • hxxps://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fbatesbooks.com%25252F%25253Fgnwihigb%252Fu4jK%252F_TK1AQ%252FAQ%252Feb4ca8cd-9fd8-441d-bd47-ba8515ce4ecb%252F1%252F29ti9u-YHt%2Fu4jK%2F-jK1AQ%2FAQ%2F5144fccb-e0c2-47a4-bc78-4996415f3747%2F1%2Fp92u3QTaSb/u4jK/ATO1AQ/AQ/2fd5814e-142f-44ef-9cf1-186f556a5be6/1/s3sdWJSj3H
    • hxxps://click.pstmrk.it/3s/click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252Fapp.archbee.com%2525252Fpublic%2525252FPREVIEW-zC6lbWbDnmk5z3buJBCII%25252Fu4jK%25252FLz21AQ%25252FAQ%25252F82ec5a25-c50f-4c68-a1ad-64d3d3de6c19%25252F1%25252Fv1mx6BTihp%252Fu4jK%252FMz21AQ%252FAQ%252F81fdc556-5c20-4662-ae2e-00bb0fe3a7ee%252F1%252F1bKy8k_jhk%2Fu4jK%2FND21AQ%2FAQ%2Fb39933dc-3c34-4961-92a6-db7f088575be%2F1%2F6ayZ139fVi/u4jK/u0y1AQ/AQ/e869e477-658b-49e4-b61d-957766ad7b9f/1/lzhdvOcfmW/u4jK/vUy1AQ/AQ/9638350e-ed00-4ae7-8f62-b58ed9d0b391/1/i0yMJ-e4SI',
    Back to Top